“Unless it is absolutely necessary to run Java in web browsers, disable it.” That’s the word from the U.S. Department of Homeland Security’s Computer Emergency Readiness Team, as posted two days ago on its website.
Ouch. It’s rough when your own government tells you that software is bad for you.
This isn’t the first time DHS has launched a drone strike on Java, either. Oh, no. This is just an update of an earlier post that warned citizens away from Java, saying that bugs in the program were being exploited to commit identity theft and other crimes.
Oracle (now the owner and keeper of Java) released an emergency update to Java after the first government wave-off. But DHS isn’t impressed. Even after the patch, they’re still telling users to jettison Java.
I almost feel bad for Oracle. They’re in a tough spot, what with the government warning people that their product is hazardous. If only someone at, say, Philip Morris could help them deal with this dilemma.
I’ll be honest: I’ve never liked Java, and this latest brouhaha just confirms my long-held bias. Java is a virus-implementation language, pure and simple. It’s slow, pointless, slow, needlessly complicated, slow, resource-hungry, and slow. It’s evidently buggy, too, but so is most software, so I can’t really whack Oracle for that. Oh, wait—yes I can. Java is enabling identity theft, credit-card fraud, and general malfeasance sufficient to attract a public warning from the Federal Freaking Government! That’s about as spectacularly untrustworthy as you can get.
It also seems supremely unnecessary to me. What is the point of Java again? Oh, yeah—to allow programs to run on any platform, anywhere, regardless of processor, hardware, or operating system. “Write once, run anywhere,” right? How’s that working for you?
Last time I checked, there wasn’t a single Java program anywhere that ran on every Java platform. I don’t think even the Java version of “hello, world” works everywhere. There are just too many variables, and trying to create an entire virtual machine on top of a real machine is like building a house of cards in a moving airplane. A biplane. While flying upside-down.
Since embedded designers generally know what hardware/software platform they’re targeting, they have no particular need of Java. On the contrary: Java just adds another layer of software, indirection, and unpredictability between them and their system. Platform-independence, if it even existed, is largely irrelevant.
At the other end of the spectrum, we’ve got desktop programmers targeting PCs, Macs, the occasional Linux box, and whatever other desktop environments still exist. They also know their platforms pretty well. PC architecture hasn’t changed in a couple of decades (it just seems like centuries), and Mac APIs are pretty well-understood. So what incentive do these guys have for chasing platform independence? There’s a reason we don’t see Java-based games or serious applications.
In the middle we have smartphones, most of which run Android, most of which run third-party apps, most of which use Java. With the plethora of different Android-based phones, I can see the allure of Java for reaching the largest customer base possible. But doesn’t that putative independence also exact a big toll on performance, capability, and size?
For most embedded developers, efficiency is important. Maybe not the most important thing—that would be schedules—but right up there near the top. Reliability is also key, and for life-critical systems, the overriding concern. And cost. And determinism. And so on. None of which bodes well for Java in embedded systems. To host Java, you need a biggish system, a lot of memory, and a lot of patience. It’s fine for adding clever animation to the occasional web page, but it’s a poor excuse for a real platform when developing embedded systems.
And according to the guys who tap phones and chase terrorists for a living, Java’s also a security risk. In this case, I’m inclined to agree.